NFS and Firewall Issue

My file/web server is configured and running properly. I have no issues sharing directories via NFS until my firewall becomes part of the equation. But it's not as simple as it sounds...

First off, I'm using ufw and know which ports to open; my ufw config is fine. The /etc/exports file also has the correct configuration for the shared folders. When another computer on the same network is booted up, the NFS shares will not connect as they are configured in /etc/fstab. In order to enable the connection of the shares, the server must have the firewall disabled, then the client can mount the shares (via mount -a). At this point, the firewall on the server can be re-enabled with no ill effects on any of the clients.

That's right: the shares will stay connected after the firewall is re-enabled, but will not connect if the server's firewall is enabled when the client PC boots.

How do I know it's a firewall issue? The other PCs also each have NFS shares that properly connect on boot of any other PC. So the server, the media PC, and the workstation each have NFS shares -- but only the server's firewall causes an issue when either of the other two PCs boot.

So the RPCMOUNTDOPTS= options were different, but I changed it to what you suggested and then restarted nfs-kernel-server. I didn't even have to reboot my workstation to see the effects of the changes, as Nautilus stopped responding immediately, and playback of music files located on the server also stopped and froze Rhythmbox. Nautilus finally recovered after two or three minutes and was able to reopen (after killing the running processes), and I was also able to restart Rhythmbox.

But just to be safe, I decided to reboot the server first and see what happens. When it completed the reboot, my workstation was locked out of the shared folders again until I disabled the firewall on the server. I think I may have finally figured out what is causing the issue, though:

As you can see, the only random port being assigned is to nlockmgr. Unfortunately, it was difficult and very time-consuming to find any solution to setting nlockmgr to a specific port. All the information I found by Googling was distro-specific for anything except Ubuntu, until I found this Launchpad bug report:

Unfortunately for me, it doesn't actually solve my problem. I'm still unable to connect to the shares on the firewalled server until I disable the firewall and then mount the shares on each client. And just like before, I can then re-enable the firewall without disconnecting the shares on each client.

Well, I can't say how foolish I feel for posting this, fretting over it for a few more hours, and then rereading my post to see the answer right in front of me...

My ufw rules clearly state the 192.0.0.0/24 subset, and yet all the computers on my local network are in the 198.162.2.x subset. Since I had changed their IP addresses from 10.0.0.x to 192.168.2.x, I neglected to change the rules properly, which had previously listed the 10.0.0.0/24 subset.

So, kids, the moral of the story is: double-check all your changes and make sure there are no errors.